CVE-2021-44223

CVE Database · CVE-2021-44223

CVE-2021-44223

· HIGHModified

CVSS v3.1

8.1

EPSS

28.98%

Published

Nov 25, 2021

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products (1)

wordpress · wordpress (up to 5.8)vulnerable

References (4)

https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Release NotesVendor Advisory

https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/

ExploitThird Party Advisory

https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Release NotesVendor Advisory

https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs